Anyone? Message: 20 Date: Thu, 5 May 2005 15:26:11 -0700 (PDT) From: Damian Sobieralski <[EMAIL PROTECTED]> Subject: Re: Kerberos To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii
> PAM does not map well to Kerberos, unfortunately. Generally speaking > you want to avoid PAM with Kerberos if you can possibly use native > Kerberos > :-) It seems my ignorance is kicking in here- how would they log into the machine first, to issue "kinit"/native if I don't use PAM to get them INTO the machine? > I haven't used pam_krb5 in a long time, but perhaps I can help debug > things. Can you post your PAM configure for however it is that you're > logging in? (SSH, local console, kerberos telnet, etc). The ccache= > option to the PAM module looks applicable, for example. I just modified the /etc/pam.d/sshd file (only using kerberos for sshd): # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass I wasn't using ccache but I looked it up and tried. I put in a goofy filename and when I do a kdestory, logout, log back in and do a klist, I don't see my weird filename. It still is looking for /tmp/krbcc_ one. auth sufficient pam_krb5.so no_warn try_first_pass ccache=/tmp/bubba_u%u_p%p When I log in via pam and ssh, with this change shouldn't I see from klist /tmp/bubba_u... as my ticket error not the no ticket found with the /tmp/kbrcc ? _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
